The Interactive Advertising Bureau (IAB) issued a highly anticipated proposal last week for an industry-wide framework to address challenges posed by the soon to be effective California Consumer Privacy Act (CCPA).

CCPA Notice and Opt-Out ObligationsUnder Section 1798.115(d) of the CCPA, a third party to whom personal information about a consumer has been sold may not sell such personal information to another party unless the consumer has received explicit notice of the sale of the consumer’s personal information and the opportunity to opt-out.

Due to practical and technical limitations, downstream participants in the digital advertising ecosystem (such as ad exchanges, supply-side platforms, demand-side platforms, advertisers and other ad-tech providers) do not typically have the ability to ascertain whether a consumer visiting a publisher’s website is a California resident (such that CCPA would apply), whether the consumer was duly provided with explicit notice and an opportunity to opt-out or whether the consumer has exercised the right to opt-out of the sale of his or her personal information, and are not in a position to provide their own explicit notice.

Furthermore, when a consumer opts-out, information may still be shared with service providers (and service providers of the service providers, which the IAB refers to as “Sub-Processors”) for the limited purposes of delivering, measuring and reporting ad placements. However, the CCPA requires that the publisher have a written contract with a service provider as a condition of disclosing a consumer’s personal information.

IAB FrameworkThe IAB framework hopes to address the above issues by devising a technical plan to notify downstream parties and proposing a limited service provider contract (IAB Contract) that will apply if a consumer exercises his or her opt-out right.

The proposed technical solution will allow publishers to send signals to all downstream parties letting them know whether:

The publisher meets the definition of “business” under CCPA,

The consumer is a California consumer, and

The publisher provided “explicit notice” and the opportunity to opt-out.

Providing Notice and Choice and Honoring Opt-OutsIn order to meet the requirement to provide explicit notice and the opportunity to opt-out, the publisher will include the required “Do Not Sell My Personal Information” link on:

Its homepage,

Every page on which personal information is collected, and

In its privacy policy.

In addition, an icon will appear next to the “Do Not Sell My Personal Information” that, when clicked, will communicate to the user that the publisher and its partners may share the personal information that they collect with third parties.

The user will have the option to click the “Do Not Sell My “Personal Information” link if the user does not wish for the publisher or its partners to sell the user’s personal information to third parties. Clicking the link would act as a one-click device level opt-out (or, if technologically feasible, a user-level opt-out).

Opt-Out SignalA signal will be sent downstream if the consumer does, in fact, opt-out or if the publisher is unable to comply with the notice requirement (in which case the consumer will be treated as having opted-out).

If the opt-out signal is sent, the downstream parties will be bound by the IAB Contract, which, under the CCPA, obligates all downstream parties to use personal information in a way that is not classified as a sale, thereby converting the ad tech companies from a “third party” to a “service provider” who may only process personal information received from the publisher for the publisher’s business purpose.

The downstream partner would no longer be able to build a profile about a consumer or otherwise use the information for retargeting outside the scope of the initial interaction with the consumer. Additionally, the contract would bar DSPs from providing bid request data to advertisers and agencies, as the IAB considers this to be unnecessary for the publisher’s business purpose.

The IAB ContractThe goal of the IAB Contract is to enable parties to pass obligations downstream to other members with whom the publisher would not have had a direct contractual relationship. The IAB Contract would dictate that the requirements of the IAB Contract must be passed down to any service providers of the downstream participants that are hired to perform services related to delivery, measurement, verification and other functions.

The standards in the IAB Contract will be passed down to advertisers by establishing a limited service provider relationship between the advertiser and the publisher. When a consumer opts out, the advertiser may receive personal information from the DSP (or directly from the publisher) only for business purposes that relate to media buys on the publisher’s property – primarily, to measure performance.

The Other Side of the Coin – Upstream Transfers of InformationA similar framework will apply to personal information transferred upstream by advertisers. Advertisers that choose to “sell” personal information collected on advertiser properties will need to comply with the same notice and opt-out requirements and provide the signals discussed above to the upstream parties. If a consumer opts-out or if the advertiser is unable to comply with the notice requirement, the IAB Contract will be utilized to allow the transfer of personal information upstream for limited use by the upstream parties as service providers of the advertiser.

Next StepsIn very short order, the IAB will publish technical specifications for public comment and will then release the IAB Contract and educational materials so that the framework will be ready by January 1, 2020.

The Bottom Line

As the ad tech industry struggles with how to comply with CCPA opt-out requests come January 1, 2020, the Interactive Advertising Bureau has proposed an industry framework to allow consumer opt-outs exercised on a publisher’s site to flow down to ad tech partners, thereby converting such partners from third parties to service providers under CCPA. The solution relies primarily upon signals generated through the CCPA-required “Do Not Sell My Personal Information” link. All parties in the digital media ecosystem need to closely follow the development of this standard.